No more under shield: transatlantic data flows to continue
The EU–US Privacy Shield was formally adopted by the European Commission in July. From 1 August 2016 onwards, the US Department of Commerce will start certifying companies that comply with the new requirements, and the transfer of personal data from EU-based businesses to the United States will finally regain legal certainty – at least to some extent.
The EU–US Privacy Shield, negotiated by the trade partners' executive bodies to replace the previous Safe Harbour system declared invalid by the Court of Justice of the European Union (CJEU) last October [see our previous article on the topic: Safe Harbor 2.0: EU–US Privacy Shield], has entered into force. Businesses in the United States interested in taking advantage of the framework are now reviewing the new requirements and updating their compliance programmes.
If you intend to transfer personal data across the Atlantic or process personal data in a US-based service under the Privacy Shield, it is advisable to confirm that the company in question has joined the framework by self-certifying itself with the US Department of Commerce. A dedicated website will be set up for that purpose. Keep in mind, however, that it may take some time for American companies to complete the process even after the starting date of 1 August 2016 due to a potential backlog of certification applications.
The lull before the storm?
Despite the Privacy Shield becoming operative, interesting times still lie ahead. The Article 29 Data Protection Working Party composed of national supervisory authorities has yet to give its view on the revised framework. This means that the regulators' reactions remain to be seen. The Commission's decision does not prevent national authorities from investigating or challenging the new framework, so stay tuned for further developments.
Meanwhile Dr Max Schrems, the Austrian privacy activist and primus motor behind the CJEU's invalidation of the Safe Harbour, has brought another challenge against the transfer of personal data to the United States, this time aimed at so-called standard contractual clauses adopted by the European Commission. These model contracts provide an alternative mechanism for transferring personal data to countries that do not ensure an adequate level of data protection. Following the CJEU's Safe Harbour ruling, many businesses have switched to these model contracts as a way of ensuring the legality of their transatlantic data flows, and the clauses are extensively used when the service provider, or its IT equipment or operators, are located in a third country.
The new Schrems case contributes to the ongoing uncertain atmosphere in the privacy space. Based on the argument that the same insufficiencies concerning government surveillance and inadequate judicial remedies established for the Safe Harbour may apply to the model contracts, the Irish Data Protection Commissioner has informed that it will seek a referral to the CJEU to determine the validity and legal status of the clauses. Depending on the outcome, companies may again be obligated to review their data transfer practices and arrangements.